HIPAA: Any requirement to seperate data viewing applications from databases?


We've recently completed a successful (but small) prototype/pilot program involving the collection of "hazard-identification" data from health care workers.  Our "system" is comprised of 3 parts: a web-based data collection application, a data analysis application, and a database of stored data.  Although we don't specifically solicit sensitive info (directly covered by HIPAA) the health care workers frequently include this sort of information in their reports (to add context, for follow-up, etc.).

For the pilot program all of this was accomplished via a dedicated hosted server.  As we move forward, and expand, we're looking to implement a number of steps to insure that we remain HIPAA compliant "beyond the science project mode".  In working with the tech support engineers at the Tier II SAS 70 data center that we intend to use, we're being told that "your data base needs to be maintained on a separate server from any data analysis program."  

I understand the logic and rationale behind this -- and I appreciate the engineers input -- but I'd like to find a specific reference that stipulates the need for this particular set-up.  

If anyone could point me in the right direction, that would be great!  
Who is Participating?
Jim P.Connect With a Mentor Commented:
Any web app -- whether gathering data or giving it back (especially financial & health data) needs to be in a DMZ. Even if you are using a VPN solution, you should restrict exposure of your internal network as much as possible to an outside vendor/ consumer.

Typically your web server resides in a space that can be accessed from the internet and has very restricted links through the firewall into the internal network to read/write data. Your web app is considered and N-Tier app -- meaning 50 or 500 users can be accessing it and it controls R/W of data to the database.

Then your analysis app can be done either as N-Tier or client-server. The N-Tier there can be a client install that goes to the app server and the app server connects to the database.  The reasons for going the app server route can vary:

Security: no client ever talks to the DB directly

Work load: the queries are complex/long running and the typical client can't do it.

Load balancing: You want to be able to have multiple app servers so you can
                           scale or load balance connections to the same DB.

Network: the clients and app server reside in remote location from the DB -- if
                your clients go back to the server direct you saturate the bandwidth.

Web enabled: you want to use a web page to do analysis instead of touching
                        clients every time you upgrade.

I can't tell you the best answer. It depends on your business model, your project plans, design considerations etc.

You will definitely need 2 servers -- the one that faces the web and the DB server. Beyond that it comes back to your design and model.
N-Tier Application Architecture

This link is for websphere -- but  it is pretty much the same regardless:
Jim P.Commented:
Reading the Security Standards Technical Safeguards PDF at the HHS CMS Security Materials website -- there is no requirement to have separate servers to split the data from the app.

From the technical/ sys admin /user point of view, you should make the app able to be on a separate server, because you are bound to run into some user who will be running it on several small servers, need to do clusters, or has a security standard that says the same thing.

HHS CMS Security Materials

Security Standards Technical Safeguards [PDF, 238KB]
blockmentalAuthor Commented:
Hello jimpen,

I appreciate the input (and the links) and if you wouldn't mind, please...

As part of our "process" we serve as the 3rd-party "analysis provider" and we're the only ones with access to the data analysis app (ie, the "customers" can't run their own reports or view any of the raw data).  The only access the "customers" have to our software is via the web-based data collection app.

I'm not certain that this makes any difference WRT your comments about how a technical/sys admin/user might view all of this... but I'm HUGELY interested in pursuing something akin to a "best practice".  The data center engineers are telling us that in order to set-up two servers, plus a firewall, we need to get into a rack (vs. just a standalone dedicated server with a firewall).

What they're saying makes sense, but not being a techie type I'm curious as to whether (or not) the requirement to place both servers in the same rack is necessary.  Normally I'd say, "just do it" but the "rack option" seems to have a considerable impact on the cost per month.  As soon as the rack option was introduced we suddenly started talking about more costly servers, a more expensive firewall, and the need (which I can understand) for some rather hefty monthly management fees.

Any thoughts on the rack (vs. no rack) set-up would be most welcome -- ESPECIALLY if the "rack option" doesn't add to our overall level of security/safe-keeping.

Many thanks again!
blockmentalAuthor Commented:
Thanks jimpen!

I'm always amazed at the lengths to which people such as yourself will go to on this forum to explain things... and especially when it comes to non-techies wrestling with unfamiliar issues.

Again, many thanks for confirming/validating what the data center engineers were suggesting.

All the best!
Jim P.Commented:
Glad to be of assistance. May all your days get brighter and brighter.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.